RLAN (Original, Phase 1) Requirements

Overall Architecture

Architecture must reflect access policies, not focused on the functionality of a particular class of devices.
Inside community must be fairly small.
How to deal with departments fed from different switch rooms if inside hosts need access to each other?
Can we provide this service at NoVA?
We must find a way to support IPv6. The last thing we need to do is give any support to the idea that you can't do IPv6 if you want enhanced security.
Does not reduce any of the current system-management needs for hosts on the limited access networks. System management is still the primary security.
We will likely face similar access issues with some of the phone network.

Current access
- What we do today. This represents the minimum access policy that applies to every device on the network.
- No reason we can't step up non-disruptive monitoring if resources become available.
Limited access
- Probably behind NAT (not because that contributes any security, but because addresses are in short supply.)
- How to deal with IPv6?
- No servers directly reachable from outside. (I.e. no static mapping to addresses.)
- Departmental servers could have a second NIC connected to both public and limited access.
- IPS
- Enhanced monitoring
- Mandatory security reviews
- Stateful firewall.
- Administrative admission procedure, i.e. not just anyone can join this network.
  - What do we tell folks who we don't let join and are later compromised?
Default deny
- Hosts (which could be virtual) must be dedicated to sensitive data. No general use for e-mail, Microsoft Office, and web browsing.
- Must provide sufficient import/export mechanisms so users don't have to roll their own.

Provisioning
- How do people get on to the limited access network?
- There are definitely departments that would want to join, i.e. Grads.
Hardware
- IPv6 firewall
- Firewall
- NAT
- IPS/IDS
- Generic probes
- NAC?
- CA?
People
- Network analyst
- Security analyst (security reviews)